Published on 2023-01-17
Velociraptor did not properly sanitize the client id
parameter to the CreateCollection API allowing a directory
traversal in where the collection task could be written. It
was possible to provide a client id of "../clients/server" to
schedule the collection for the server (as a server
artifact), but only require privileges to schedule
collections on the client.
Normally to schedule an artifact on the server requires the
COLLECT_SERVER permissions (normally only granted to
"administrator" role), but due to this issue it is sufficient
to have the COLLECT_CLIENT privilege (normally granted to the
"investigator" role)
To exploit this vulnerability, the attacker must already
have a Velociraptor user account at a low privilege level
(not administrator but at least "investigator"). Be able
to authenticate to the GUI (e.g. via OAuth2) and issue an API
call to the backend. Typically most users deploy Velociraptor
with limited access to a trusted group (most users will be
administrators within the GUI).
This vulnerability is associated with program files https://github.Com/Velocidex/velociraptor/blob/master/services/launcher/launcher.go and program routines ScheduleArtifactCollection().
This issue affects Velociraptor: before 0.6.7-5.
Velociraptor deployment with multiple users at lower roles
than administrators (e.g. "investigators")
CWE-22 Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal') CWE-22
CAPEC-233 Privilege Escalation CAPEC-233
Product | Affected |
---|---|
Rapid7 Velociraptor
» CreateCollection API on
Windows, Linux, MacOS, 64
bit, 32 bit package reposource repohttps://github.com/Velocidex/velociraptor/blob/master/services/launcher/launcher.goScheduleArtifactCollection() Default status is unaffected | before 0.6.7-5 (unaffected from 5) |
Upgrade to 0.6.7-5
Paul Alkemade from Telstra